Skip to main content

Migrating Windows Devices from SCCM to Intune Using PowerShell: A Comprehensive Step-by-Step Guide

ยท 16 min read
marvika
marvika
Digital Workplace enthusiast

Are you aiming to modernize your organization's device management by migrating from SCCM (System Center Configuration Manager) to Microsoft Intune? You're in the right place! This comprehensive guide will walk you through a forceful migration approach, leveraging PowerShell scripts to prepare your Windows devices for Windows Autopilot and seamlessly transition them to Intune (Entra Join).

We'll show you how to use SCCM to trigger a script that prepares your devices for Autopilot enrollment and reinstalls Windows. This method ensures control and efficiency, making the migration process smooth for both IT administrators and end-users.

Let's dive into the migration from SCCM to Intune using PowerShell and streamline your device management process!

Migrating Windows Devices from SCCM to Intune

๐Ÿš€ Why Migrate from SCCM to Intune?โ€‹

Before we delve into the technical details, let's understand the significance of migrating to Intune:

  • Cloud-Based Management: Intune offers cloud-native device management, allowing you to manage devices from anywhere at any time, without the need for on-premises infrastructure.
  • Enhanced Security: Access advanced threat protection features to secure your organization's data, leveraging cloud-based security tools like Microsoft Defender.
  • Simplified Deployment: Utilize Windows Autopilot for easy provisioning and setup, providing an intuitive enrollment and configuration process.
  • Improved User Experience: Seamless user experience during device setup and management.

Embracing Intune positions your organization for future growth by adopting modern, cloud-native endpoint management. Learn more about Cloud-native endpoints from Microsoft's documentation.

๐Ÿ“ Understanding the Migration Processโ€‹

This guide focuses on a forceful migration method that automates the transition from SCCM to Intune. Here's how it works:

  1. Automation with PowerShell: Use SCCM to deploy a PowerShell script that prepares devices for Windows Autopilot and reinstalls Windows.
  2. Device Preparation: The script checks and registers devices with Windows Autopilot, updates group tags, and logs activities.
  3. Windows Reinstallation: After preparation, the device reinstalls Windows, initiating the Windows Out-of-Box Experience (OOBE).
  4. Intune Enrollment: Users enroll their devices in Intune during OOBE, completing the migration.

Why Choose This Approach?โ€‹

  • Control and Efficiency: Automates the migration without manual intervention, reducing downtime.
  • Centralized Logging: Utilizes Azure Blob Storage to keep all migration logs organized.
  • Seamless Transition: Simplifies the user enrollment experience with Windows Autopilot.

Here's a flowchart illustrating the migration process:

๐Ÿ“‹ Prerequisites for Migrating SCCM to Intune Using PowerShellโ€‹

Before proceeding, ensure you have the following in place:

1. Technical Setupโ€‹

Infrastructure Readinessโ€‹

  • Network Capability: Confirm your network can support the migration process.
  • Internet Connectivity: Devices need reliable internet access for Intune enrollment and policy application.
  • Test Your Environment: Thoroughly test your Intune and Entra ID setup.
  • Compliance Policies: Review and update compliance policies in Intune.
  • Bandwidth Considerations: Refer to Intune network configuration requirements and bandwidth.

Entra ID App Registrationโ€‹

  • Register an Application: In Entra ID (formerly Azure Active Directory), register an app with Microsoft Graph permissions (DeviceManagementServiceConfig.ReadWrite.All).
  • Take Note: Record the application (client) ID, tenant ID, and create a client secret. You'll need these for the script.

Azure Storage Accountโ€‹

  • Set Up Storage Account: Create an Azure Storage Account with a container for logs.
  • Create a SAS Token: Generate a Shared Access Signature (SAS) token for secure log uploads during migration.

2. Download PSAppDeployToolkitโ€‹

3. Prepare and Customize the PowerShell Scriptโ€‹

  • Edit the Script: Customize the AutopilotAndReinstall.ps1 script with your organization's details:
    • Tenant ID
    • Group Tag
    • Client ID
    • Client Secret
    • Storage URI
    • SAS Token
  • Script Location: Access the complete script on GitHub:

4. Permissionsโ€‹

  • Administrative Rights: Ensure you have admin permissions in both SCCM and Intune.

5. User Communicationโ€‹

  • Notify Users Early: Inform users to back up their documents due to the impending device reset.
  • Data Backup: Stress the importance of using OneDrive or other backup solutions.

๐Ÿ“ Planning and Preparationโ€‹

A successful migration requires meticulous planning and preparation. Here's how to get started:

1. Assessment and Inventoryโ€‹

  • Conduct a Thorough Assessment: Evaluate your current SCCM environment, including devices and configurations.
  • Inventory Devices: Categorize devices based on their readiness for migration.
  • Identify Potential Issues: Detect dependencies or conflicts that could affect the migration.
  • Data Backup: Ensure all important data is backed up to prevent loss.

2. Communicationโ€‹

  • Inform Stakeholders: Communicate the migration plan to all relevant parties, including end-users.
  • Provide Clear Instructions: Offer guidelines and timelines to minimize disruptions.
  • Set Expectations: Be transparent about the process and potential downtime.
  • User Guides: Prepare resources to help users understand their roles.
  • Feedback Channels: Establish methods (like dedicated emails or helpdesks) for users to report issues or provide feedback.
tip

See Microsoft's recommendations for communicating changes.

๐Ÿ›  The PowerShell Script Explainedโ€‹

The script performs several key functions to facilitate the migration:

  1. Check Autopilot Registration: Verifies if the device is registered with Windows Autopilot.
  2. Update Group Tags: Adjusts the group tag if it doesn't match the intended value.
  3. Register Device in Autopilot: Uploads the hardware hash for unregistered devices.
  4. Log Activities: Records actions in a log file and uploads it to Azure Blob Storage.
  5. Error Handling: Logs errors to assist in troubleshooting.
  6. Initiate Device Reset: Reinstalls Windows to start the OOBE.

Important: Customize the script with your organization's specific details before deployment.

Script Highlightsโ€‹

  • Azure Blob Storage Logging: Ensures centralized logging for monitoring and troubleshooting.
  • Automated Windows Reinstallation: Triggers a device reset after preparing for Autopilot.
  • Error Tracking: Implements an error tracker to handle exceptions gracefully.

๐Ÿ“ฆ Step-by-Step Guide to Migrating from SCCM to Intune Using PowerShellโ€‹

Step 1: Download and Prepare PSAppDeployToolkitโ€‹

  1. Download the Toolkit: PSAppDeployToolkit
  2. Extract the Files: Unzip to a directory on your computer.
  3. Add Your Script: Place the customized AutopilotAndReinstall.ps1 in the Files folder of the toolkit.

Step 2: Modify Deploy-Application.ps1โ€‹

  1. Open the File: Navigate to the toolkit's root directory and open Deploy-Application.ps1 in a text editor.
  2. Add Pre-Installation Step:
    • Locate the pre-installation phase comment: 
      ##*===============================================
      ##* PRE-INSTALLATION
      ##*===============================================
    • Add the following line below it: 
      Show-InstallationWelcome -CustomText "Preparing for Autopilot Enrollment" -AllowDefer -ForceCountdown 3600 -DeferDays 2 -PersistPrompt
    • Parameters Explained:
      • -CustomText: Displays a message to the user.
      • -AllowDefer: Allows deferral.
      • -ForceCountdown: Sets a countdown before automatic continuation.
      • -DeferDays: Limits how many days the user can defer.
      • -PersistPrompt: Reminds users at each login.
  3. Add Installation Step:
    • Locate the installation phase comment: 
      ##*===============================================
      ##* INSTALLATION
      ##*===============================================
    • Add the following line below it: 
      Execute-Process -Path "$PSHome\powershell.exe" -Parameters "-ExecutionPolicy Bypass -File `"$dirFiles\AutopilotAndReinstall.ps1`""
  4. Save Changes: Close and save the file.

Step 3: Prepare Content for SCCMโ€‹

  1. Organize Files: Ensure all necessary files are in one directory.
  2. Upload to Network Share: Place the directory on a network share accessible by SCCM.

Step 4: Create the SCCM Applicationโ€‹

  1. Open SCCM Console: Navigate to Software Library โ†’ Application Management โ†’ Applications.
  2. Create Application: Choose Create Application and select Manually specify the application information.
  3. General Information: Provide application details (Name, Publisher).
  4. Add Deployment Type:
    • Click Add to create a new deployment type.
    • Select Script Installer.
  5. Configure Content:
    • Content Location: Enter the path to your network share.
    • Installation Program: 
      Deploy-Application.exe -DeploymentType "Install"
  6. Set Detection Method: Define how SCCM will verify the installation (e.g., check for a specific registry key or file).
  7. Configure User Experience and Requirements: Adjust settings as needed.
  8. Complete the Wizard: Review and finish the application setup.

Step 5: Deploy the SCCM Applicationโ€‹

  1. Deploy Application: Right-click the application and select Deploy.
  2. Choose Device Collection: Select the target devices.
  3. Set Deployment Settings: Ensure it's set as Required.
  4. Monitor Deployment: Keep an eye on the deployment status.
Note

Installation statuses in SCCM may be inaccurate due to device resets. Use Azure Blob Storage logs to monitor migration progress.

๐Ÿ” Monitoring the Migrationโ€‹

Use the logs uploaded to Azure Blob Storage to track the migration:

  • Access Logs: Find log files named after device serial numbers in your storage container.
  • Review Entries: Check for errors or warnings that might need attention.
  • Tools: Utilize Azure Storage Explorer for easier access.

Sample Log Contentโ€‹

2024-07-30 15:10:55 - ----------------------------------------------------------
2024-07-30 15:10:55 - Log for Autopilot registration check and update script triggered.
2024-07-30 15:10:55 - Script started.
2024-07-30 15:10:55 - ##############################
2024-07-30 15:10:55 - Serial Number: xxxxxx
2024-07-30 15:10:55 - Current Logged On User: xxxxxx
2024-07-30 15:10:55 - Autopilot Group Tag: xxxxxx
2024-07-30 15:10:55 - ##############################
2024-07-30 15:10:55 - Getting access token...
2024-07-30 15:10:55 - Getting all Autopilot devices...
2024-07-30 15:11:06 - Total devices: 16129
2024-07-30 15:11:06 - Checking if the device is registered in Autopilot...
2024-07-30 15:11:06 - Device is registered in Autopilot.
2024-07-30 15:11:06 - Group tag is correct.
2024-07-30 15:11:06 - Uploading log file to Azure Blob Storage...

๐Ÿ“ข User Communication and Supportโ€‹

Effective communication ensures users are prepared:

  1. Early Notification: Inform users well in advance about the migration.
  2. Clear Instructions: Provide step-by-step guides for the OOBE.
  3. Support Channels: Establish helpdesks or support emails.
  4. Feedback Mechanisms: Encourage reporting of issues for continuous improvement.
tip

See Microsoft's recommendations for communicating changes.

๐Ÿค” Common Issues and Troubleshootingโ€‹

Script Fails to Register Device in Autopilotโ€‹

  • Check Credentials: Verify Tenant ID, Client ID, and Client Secret in the script.
  • Network Access: Ensure the device has internet connectivity.
  • Permissions: Confirm that the application in Entra ID has the necessary permissions.

Logs Not Appearing in Azure Blob Storageโ€‹

  • SAS Token: Confirm it's valid and has proper permissions.
  • Storage Configuration: Ensure the storage account is correctly set up and accessible.
  • Firewall Settings: Check that no network policies are blocking access.

Devices Not Enrolling in Intuneโ€‹

  • Autopilot Profiles: Ensure Autopilot profiles are assigned correctly.
  • User Credentials: Verify that users have the necessary licenses and permissions.
  • Connectivity: Check for internet access during OOBE.

๐Ÿ“ Post-Migration Stepsโ€‹

1. Verification and Validationโ€‹

  • Confirm Enrollment: Ensure all devices are enrolled in Intune.
  • Policy Application: Check that devices receive the correct policies and configurations.
  • Functionality Check: Test applications and services on migrated devices.
  • Cleanup: Remove migrated devices from Active Directory and SCCM to prevent conflicts.

2. User Supportโ€‹

  • Provide Assistance: Offer support during and after migration.
  • Address Issues Promptly: Resolve problems quickly to maintain satisfaction.
  • Gather Feedback: Collect user feedback for improvements.
  • Support Documentation: Update support materials to help with common issues.

3. Continuous Improvementโ€‹

  • Review Migration Outcomes: Analyze successes and areas for enhancement.
  • Update Procedures: Modify scripts and guidelines based on feedback.
  • Share Best Practices: Document and share effective strategies.
  • Regular Training: Offer training on the latest Intune features.

โ“ Frequently Asked Questionsโ€‹

Q1: Can users opt out of the migration?โ€‹

Users can defer temporarily, but the migration will proceed eventually as required using the method provided in this article.

Q2: Is data retained after migration?โ€‹

No, Windows reinstallation means data is wiped. Backups are essential before migration.

Q3: How do I track migration status?โ€‹

Use logs stored in Azure Blob Storage, named by device serial numbers, to monitor progress.

Pro Tip: Since the logs in the Azure Storage Account container will show which devices have migrated, you can connect to it as a data source for creating detailed statistics.

Q4: What if the script fails to update the group tag?โ€‹

Check log files for errors and verify that the device has sufficient permissions. Ensure that the application in Entra ID has the required permissions.

Q5: Will SCCM functionality be affected?โ€‹

No, SCCM continues to function; the migration only impacts targeted devices.

๐Ÿ“ˆ Benefits of Moving to Intuneโ€‹

  • Cloud-Based Management: Remote device management without on-premises infrastructure.
  • Advanced Security: Leverage cloud-based security tools like Microsoft Defender.
  • Simplified Deployment: Use Autopilot for easy provisioning and setup.
  • Scalability: Easily scale device management as your organization grows.
  • Cost Efficiency: Reduce costs associated with maintaining on-premises infrastructure.

๐ŸŽฏ Wrapping Upโ€‹

Migrating from SCCM to Intune using PowerShell automation streamlines device management modernization. With careful planning, effective communication, and the right tools, you can transition smoothly and enhance your organization's operational efficiency.

Alternative Approach: Prefer a less forceful method? Adapt this process into a self-service application in the Software Center, allowing users to initiate migration at their convenience.

By harnessing PowerShell and PSAppDeployToolkit, you minimize disruption and maximize control. Ready to embark on this journey? Start your migration today!